Posted
by
timothy
on Friday July 22, 2011 @09:05PM
from the perfect-for-bureaucrats dept.

An anonymous reader writes "Despite its current struggles to win over consumers, RIM has always been strong in the enterprise. The company remained steadfast in its support for corporate environments with the launch of the PlayBook, calling it the only business-grade tablet. The NIST is now ready to back that claim, giving the BlackBerry PlayBook its stamp of approval — meaning it's now the lone tablet that is certified for use in U.S. government agencies."

Where I live, few people use Blackberry's (iPhone and Andoid devices are far more prevalent) and the few Blackberry users I've spoken seem have been disappointed with them. So that's my interpretation of the "Gov't approval" post.

We in the Air Mobility Command â" think cargo jets â" have been looking at tablets for flight pubs and Jeppesen products. The iPad is without question out for various reasons. The two we have been looking at are the HP TouchPad, and the RIM product. The HP product has received better feedback, but because the RIM product already has the NIST approval (and the fact that the government is already in love with RIM), it is probably the direction we will go. Keep in mind that, of course, the air crew will still have to haul around the paper products, they just will not use them. Also, most of our guys already pack personal iPads, but they cannot be officially used for anything involving the actual operation of the aircraft.

Buy in volume and distribute, that looks like applications still will be tied to an user, companies want applications tied to them and be able to move licences between users. " you will receive redemption codes for each app. You can control who gets the apps by providing these codes to users via email or an internal website" looks like apps are distributed but could the company later assign that app to another user? If not its an awful program from the business company point of view, for Apple and the devel

Is that true? I have very limited experience with rollouts of software in large environments (as I currently work at a small company) but our volume licensing setup for Adobe protects is tied to the machine, not the user. I thought that was fairly common?

In my limited, thankfully, experience dealing with licensing, the license following the user or device depends upon the software being licensed. The OS belongs to the machine, or in a large organization, the organization. Third party applications follow the user, within the organization. But, the licenses tied to a user can be moved within the organization.

that looks like applications still will be tied to an user, companies want applications tied to them and be able to move licences between users.

Citrix and Microsoft have similar licensing models.

With citrix/microsoft per-user licensing you assign a license to a user.
It is possible to re-assign a license from one user to another, but once you do so, there is a significant waiting period before you are allowed to re-assign the license again.

that's for apps from 3rd parties. say you want everyone on your team to use Angry Birds.. you buy bunch of licenses and distribite to your team. it's not terribly different than buying bulk licenses for something like Photoshop. IT buys the licenses then decides who gets one.

but

there's also a way to deploy apps made by you (or for you) internally. you don't see the SalesForce apps in the app store. You can also distribute apps via email (in your company) if each device is provisioned. once it is, you can ge

Businesses have a variety of options for deploying iPad across their enterprises. End-users can quickly install configuration profiles to get corporate services up and running. For large scale deployments IT can query and manage devices with Mobile Device Management. iTunes can be customized to fit the needs of both IT and end-users. And, enterprises can also distribute custom iPad apps over-the-air for their users to install.

apple probably doesn't want anything to do with the GSA or any government business

Why? What would it be about selling several dozen 1000 of these things and the support contract that would go with them to the DoD that Apple wouldn't like?

But, the iPad is a consumer product that answers consumer needs, not general computing needs. The DoD (and I suspect most "enterprise") will not be using their tablets primarily for social interaction and watching multimedia, viewing photo albums, playing games and such - consumer wants and needs, not "enterprise" wants and needs.

For us it has a lot to do with custom applications and the available development languages. The iPad is a very nice product, but as a platform is tightly controlled by Apple (as is their right, it's their product).

which according to our tech people will not be fixed by Apple until sometime in 2012.

Apparently iOs devices will retry a failing password over and over locking out the account. Happened to me and they told me, next time I change my password on the network delete the network entry from my iPad and recreate it afterward. They determined my iPad spammed the network with my old password the moment I turned it on.

How do you propose to stop an attacker who changes IP and/or MAC addresses with every new password attempt?

Well... first of all: if you only saw failed attempts from one or two IP addresses, then you can be quite confident that's not what's happening.
Second: if you see failed attempts to a user in rapid succession from many IP addresses, then you know something is amiss.

You've come up with an unusual theoretical, and quite implausible attack.
There aren't enough IP addresses out there to change IPs a

IP address is not just a free form field a computer can change to whatever it wants -- the IP address you want to use actually has to be routable, otherwise it's useless.

Botnets. Plus you presume a simple brute-force attack rather than a dictionary attack or something even more specific to the target account like names of family members.

The only way that makes any sense at all is if the attack source is on the LAN; which means either an internal system has already been compromised, or you have an insider attacking through an inefficient method (trying brute force, when there are much simpler and more successful methods).

Neither are reasons to dismiss such a straightforward vulnerability.

As for someone playing with MAC addresses.... it's called Port Security or 802.1x authentication, esp. in the case of wireless.

At which point you are at the same practical result - the only node the user cares about - the one in his hands - is locked out.

I really don't see a practical use to selectively locking out a device versus simply locking down the account. In either case you've got a user w

The existence of extreme examples such as botnets is no reason to botch the common case of single user, few devices failing authentication, and have the defect of locking an account as a result of a mistake by one device. The security instrumentation of a system that cannot distinguish between a botnet attack on an account and failed login attempts from one device, or a small number of devices, is fundamentally flawwed.

It's really rather simple.... if more than 10 failed login attempts occu

On this we will disagree. If you aren't prepared for the extreme case then your security is, pretty much by definition, ineffective.

Then based on your definition, everyone's security is inherently ineffective, and incapable of being remedied.

By the way, account locking doesn't reduce the chance of a botnet based brute force attack.
A typical botnet brute force attack looks like two or three password attempts on a large dictionary of usernames. A botnet brute force attack does not look like a bunch of

In reality, what is considered effective security implementation is security implementation designed to prevent high probability events, without hurting the business in the process.

No. Your focus on "high probability" is misguided. That's a minimum requirement, not the end. Effective security is a trade off of cost for coverage. The huge gaping flaw in your argument here is that:

Locking out an account is practically the same as locking out a device as far as the user is concerned. You've failed to address that point twice now, despite being directly questioned on it. So I am pretty sure you understand it, but just don't want to admit it.

No. Your focus on "high probability" is misguided. That's a minimum requirement, not the end. Effective security is a trade off of cost for coverage. The huge gaping flaw in your argument here is that:
Locking out an account is practically the same as locking out a device as far as the user is concerned. You've failed to address that point twice now, despite being directly questioned on it. So I am pretty sure you understand it, but just don't want to admit it.

Ah, so now you've changed from the general case to this specific case. The vast, vast majority of users who need to log into a system have only one system from which to do it from.

Your entire argument fails on that singlular premise.

So... a guy who gets his account locked out because of his iPad... has the iPad as his only device? The guy with the iPad getting his account locked out - already breaks the assumption that it's his only device, excepting very few rare circumstances.

Jesus, diid you miss the entire message you quoted? SO what if this particular case is about a someone with an ipad? The guy went off with BIG BOLD CAPS about how it was a massive fatal totally unacceptable flaw when in reality its a very rare case so not worth all the increased risk and cost to handle it in code rather than an exception to a human.

Think about it - lock out all the domain administrator accounts, and the network is now yours to explore.

So this hacker already knows what the admin accounts are and there are no admins currently logged in and then you wrote something unintelligible about using

You certainly don't stop them by locking a legitimate account, or you are making a denial of service trivially easy.

It depends on what's more valuable - easy access to the account or protecting what's inside the account. Plus it isn't like a DOS happens in isolation, the user gets locked out and calls the support desk.. Chances are he's going to do exactly the same thing if you lock out the computer he's on or you lock out his account.

The principle of locking an account out after a defined number of failed login attempts is a long standing security principle, it significantly reduces the likely success of brute force hacking attempts.

Before you start jumping to the defense of Apple/the iPad you should perhaps strive to learn a little more about well defined and documented security principles.

An application that just keeps retrying the same username/password after being told that the combination is wrong is just incredibly stupid and is a

The point of the complaint is that if the iDevice has the wrong password cached, it will keep trying that password forever instead of giving up. The problem, therefore, is that it will lock the user out. This is different from Blackberry, for example, which freaks out immediately, alerts the user and quits trying the same password over and over.

The complaint is NOT about locking as a security measure, but that the iDevices behave in a way that causes accounts to get locked out needlessly.

1. The iPad is made in China (the paranoids could say there could be a backdoor in there, just like we've made backdoors within Intel products and Xerox Machines in the past, we're fearful that a large enough foreign power would try doing the same back to us at some point. It wouldn't have to be an obvious backdoor. Introducing a vulnerability or two into iPhones/iPads at a low enough level could still allow China access to our devices and yet still provide some plausibility of denial that this was just a v

Of course, US law doesn't prohibit the military from producing weapons, so there's really no conflict in the license terms. I've seen that line in a lot of licenses for a lot of products that seem to have absolutely nothing to do with anything related to weapons or manufacturing of the same. I think it's just something that a lot of product manufacturers throw in there to cover their ass in case some terrorist gets caught with an iphone/ipad/whatever in their car.

(2) You will not use the RIM Products and Software in the development, production, handling, maintenance, storage, detection, identification or dissemination of chemical, biological or nuclear weapons or their missile delivery systems, or of materials or equipment that could be used in such weapons or their missile delivery systems, or resell or export to anyone or any entity involved in such activity;.

That's pretty standard legalese found in most SLAs. So is RIM a controlling hippie, also?

The iPad is made in China (the paranoids could say there could be a backdoor in there, just like we've made backdoors within Intel products and Xerox Machines in the past, we're fearful that a large enough foreign power would try doing the same back to us at some point. It wouldn't have to be an obvious backdoor. Introducing a vulnerability or two into iPhones/iPads at a low enough level could still allow China access to our devices and yet still provide some plausibility of denial that this was just a vuln

The government is hard to understand. All this proves is that RIM is good at passing these gates. Dell is good at this too, and a US company, and has Android tablets. RIM Won't be alone on this field long enough to matter.

I've got a friend whose business is stuffing the iPad full of flight documentation and manuals and it's for defence. Sorry, don't make stuff up.

You, sir, may have a "friend", but he is *not* stuffing iPads with whatever for Air Force flight crews, at least not for official use. For the USAF, it is *not* an approved device. In fact, there are *no* Apple devices that are approved to be connected to to our network (at least NIPR or SIPRNET), so it would not be possible to update the device - flight pubs, nav databases, and Jeppesen products are updated quite often, almost monthly. Not to mention the aircraft TOs and FCIFs. Currently, the only portable

You, sir, may have a "friend", but he is *not* stuffing iPads with whatever for Air Force flight crews, at least not for official use. For the USAF, it is *not* an approved device. In fact, there are *no* Apple devices that are approved to be connected to to our network (at least NIPR or SIPRNET), so it would not be possible to update the device - flight pubs, nav databases, and Jeppesen products are updated quite often, almost monthly. Not to mention the aircraft TOs and FCIFs. Currently, the only portable

Is my business the only one ever to realise that blackberry stores your emails on their servers, and that the patriot act gives US government the right to read it? I don't understand why so many businesses overlook that.

What does it matter if RIM is holding Encrypted emails that they don't have the key to decrypt?
They don't overlook it, because there's nothing to overlook. The government doesn't have the keys to decrypt those messages either. Hence RIMs problems in middle east countries.

What does it matter if RIM is holding Encrypted emails that they don't have the key to decrypt?
They don't overlook it, because there's nothing to overlook. The government doesn't have the keys to decrypt those messages either. Hence RIMs problems in middle east countries.

That whole affair with service in India proved that if they really want to, they can indeed decrypt the e-mails.

Really? I don't recall RIM capitulating on BES encryption, only BIS where they actually have access to the keys. BES is encrypted with keys not held by RIM, so how would RIM give them access? I suppose if you happen to crack the keys... but it's not like they're relying on encryption methods and key generation methods that aren't known... and there's a reason Governments force RIM to give them BIS access instead of just cracking it themselves...

Problems RIM has capitulated on... problems they didn't seem to have with the US government which, if you think about it, can only mean that it was given to them quietly and without a fuss. RIM controls not just what passes through their servers (which is everything) but also controls the servers which integrate with the unencrypted servers on the government/business end. Given how easily most telecoms rolled over and allowed the NSA to set up their listening rooms, I have little doubt that RIM was compli

Is my business the only one ever to realise that blackberry stores your emails on their servers, and that the patriot act gives US government the right to read it? I don't understand why so many businesses overlook that.

I wish the problem were simple ignorance as you describe. That may be going on as well, of course, but the real problem is much worse than the kind of ignorance that could be remedied with a couple minutes' explanation. The problem is denial.

The problem is that the average person doesn't recognize the danger that represents. They think, "well *I* have nothing to hide" and "well, *I* haven't done anything illegal". Of course, both of those assume that government thugs would only ever go after real cri

So I suppose you don't use webmail google apps or any online storage? If the government wants to know what you are doing there are a lot of other ways they can find out beyond asking RIM for a copy. After all, it is *email* which is sent plain text over public networks. Remember those special rooms in the at&t facilities that were oh so controversial a while back? I'll give you a hint, they weren't being used to store old bollywood films.

I use these services for personal use indeed. There's no industrial secret (or any secret) in my personal email. But my business stores everything in house and email communication with key partners or customers is on TLS.

Not quite. But for once, the article isn't any more accurate than the Slashdot summary.
The Federal Information Processing Standard (FIPS), which comes from the National Institute of Standards and Technology, is a test of the encryption module of a device or software. In this case, it is RIM's proprietary OS that runs on the PlayBook that has had its crypto module validated (PlayBook FIPS certificate [nist.gov]).
Yes, it is probably the first tablet to achieve this, since most computers leverage Window's validated crypto module (Go here, FIPS certificates [nist.gov], and search for Microsoft). However, meeting FIPS is only part of the process. Federal regulation also requires National Information Assurance Partnership (NIAP) certification and a test by an approved DoD test lab. After all of that, the device or software will probably be "certified for use in the U.S. government".

You forgot to mention that they only have a level 1 certification - which is the bare minimum set of requirements. The security library was developed by Certicom, - known as the "Security Builder FIPS Module."

Getting it certified was really just using the existing certification on a new platform - which only requires a security policy update, some known answer tests, and a run through of the self-testing framework (in some cases - the NIST is funny about that). No code review and not a lot of approved lab time is required for a platform port as long as the hardware is similar and software stays the same.

NIAP certification and DoD testing are not at all required; the vast majority of IT products in use by the government lack these tests. The term for what you described is Common Criteria certification, which is expensive and cumbersome for a vendor to undergo (and only relates to a specific version of a product as well). Also, while you got it right that a FIPS 140-2 certification only applies to a cryptographic module or modules, you also miss that the majority of products that are FIPS 140-2 certified u

Wait, I'm sorry, since when is BlackBerry Bridge "Hard"? It has an additional requirement of having a BlackBerry phone, but that's not hard, it's an additional requirement.

And is getting media on or off the Playbook that hard? Certainly Blackberry Desktop Manager supports the playbook, no?

I think you're confusing "hard" and "different than what I want". If you don't want to do things the way the PlayBook does things, well then, don't buy a PlayBook. If you have to deal with one for work, well, can you hones

I think the name is intended to be a sports reference, to the list of set plays that a team develops ahead of time.

The use of metaphors referring to team sports is nearly universal in corporates and Fedland. "She's not a team player" is about the worst thing that could be said of someone. You're expected to "take one for the team" when your boss screws up. And so on.

So, in RIM's target market, "playbook" is intended to hook into key parts of the cult-ure.

The name "PlayBook" is supposed to draw a parallel to the sports world, where a playbook is used as a device for storing plans of action. Since this device can be used to store files of value (much like the secret plays of a sports team) the name "playbook" makes sense (as opposed to "WorkBook").

Blackberry PlayBook is... how should I put it... hmmm... cramming in a roll-cage and bucket-seats into a family saloon.

Certainly, any digital toy can escape the hands of its owner. But mobile phones being with us for good decade or so, we rarely misplace it. On the the contrary, tablets being the new toy in our life, and PlayBook is in a smaller form factor; chances of misplacing is rather high. So it is somewhat justifiable to include the "bridging" feature. Then again, it kills the usability as a standalo

The last time we had a RIM/Blackberry discussion, I went on about what is good about RIM/Blackberry and what they are doing right. Suffice to say, they are all about business and getting things done.

In contrast, all the other things in the smartphone movement are about fun distractions and what new, innovative and original thing can be done next... oh yeah, and getting sued or suing over it. With tablets, the firs thing in most people's mind was "what do I need this for?" and the most common criticism was "this is just a bigger phone!" And almost ALL of this focuses attention on the client side of things.

RIM/Blackberry's idea is that the phone is one of two parts of the whole. The other part is the server side. It is the server side which integrates the client device with the business stuff. If you're not integrating with your business, whatever that is, you're not getting what you need where business is concerned.

iDevice and Android use the opposite approach where the client side is the only thing. This approach is fine for Apple, because Apple wants a piece of everything the users does or experiences. This approach is fine for Google because they are getting what they want from the user as well. But neither of things things care much about what business wants,

But the majority of people here will continue to chant "RIM/Blackberry is letting the world pass them by! They are dying and they don't even know it!" I just can't subscribe to that point of view. There no question that there is a huge market for consumer oriented devices which includes iThings and Androids and that market is booming (and will have an expected bust eventually).

But that's not the market RIM/Blackberry lives in. They live in business and government markets where the requirements are different and among these are reliability, predictability, stability, workability and a lot of things that utterly bore the consumer public. The consumer public is a collection if solitary individuals and they only need to work (or play) the way they want to and they crave different things and new things all of the time. Government and business are entities comprised of teams of people who need to be able to do things in concert with each other. Enabling that need over handheld mobile devices is a tremendous challenge that they have mostly been able to meet and continue to meet.

It's not hard to imagine what you would be able to do with a tablet over a phone where Blackberry is concerned. The ability of a tablet to deliver and interact with information is quite obvious and that's what Blackberry is for. And for many business people, it can easily replace their luggable laptops. What is harder to imagine is how tablets benefit consumers. For most, it is a new shiny thing to play with and they will realize before too long that they don't need to be burdened with the size/weight/fragility of the tablet devices when comparing that against the benefits they get from their use. (A consumer's ROI analysis.)

It's nice to say that the RIM tablet is the first tablet to gain NIST approval, but I suspect it will be the only tablet to gain NIST approval unless Apple or an Android maker gets into making business integration servers which integrate the handhelds with the enterprise which is hard to imagine. Apple has repeatedly demonstrated that they don't want to do business or government -- it's too heavy of a responsibility for them. Android makers are more beholden to the carriers than the consumer or any business. It is just unimaginable for the tide to change in that regard.

I second the thought about Black Berry and the corporate world. However, the lack of native black berry functions like email and calendar will kill them if not corrected soon. That is a function that corporate clients expect. I think HP will likely get NIST certified with their WebOS tablet and Microsoft will likely team up with someone to get a Windows 7 Tablet certified.

I second the thought about Black Berry and the corporate world. However, the lack of native black berry functions like email and calendar will kill them if not corrected soon. That is a function that corporate clients expect

Some people see this as a huge advantage. Chances are that you're already managing any number of BB phones -- with BB Bridge, all of the features you want are handled instantly, with IT needing to do *absolutely nothing* to integrate the PlayBook into their environment.

If a PlayBook gets lost, it's no big deal. All your important data is secure on your already managed phone. Once the bridge connection is broken (say, by being out of range) NO data is stored on the playbook.

I agree that the corporate market and the consumer market are different, and that both RIM and Apple/Google currently serve those respective markets quite well.

What is harder to imagine is how tablets benefit consumers. For most, it is a new shiny thing to play with and they will realize before too long that they don't need to be burdened with the size/weight/fragility of the tablet devices when comparing that against the benefits they get from their use. (A consumer's ROI analysis.)

Spoken like a marketer for RIM. RIM is a dead man walking in the enterprise. Yes, they're the only ones to have their own management software but there are a dozen vendors lining up with mobile device management solutions. Vendors like Good Technology and MobileIron are making enterprise-grade equivalents to BES for the iPhone/iPad and Android space. The problem, as it's always been, is applications. It's a nightmare to write anything for BlackBerry. Comparatively speaking, writing apps for iPhones and Andr

Rather than maximising the amount of money wasted on profit for corporations, when will government make it an aim to minimise the amount it does not produce in-house at cost? Entirely private innovation, where "private" means no connection to government or academia and "innovation" is meant in the technical rather than Apple marketing sense, is rare - if the need is to do something new, and the initial outlay is not too great, you'd be better off hiring and treating well the best people for the job. (Intell